Thursday, October 8, 2015

DNS: a simple way to stop malicious web traffic

DNS-based web filtering is an easy and highly-effective component of network security. Since most web browsing - including the malicious sort - relies on DNS to translate human-readable domain names into Internet addresses, DNS is a natural choke point.

This post was first published in September, 2014. It has been updated for October, 2015's Cyber Security Awareness Month. DNS-based web filtering is an easy and highly-effective component of network security. Since most web browsing - including the malicious sort - relies on DNS to translate human-readable domain names into Internet addresses, DNS is a natural choke point.

If you are reading this, chances are you made use of a Domain Name System, or DNS. Don't panic!

Putting aside for a moment the possibility that you are reading a printout, you are more than likely reading this on a digital device. Perhaps you clicked a link in search results, or on another web site, or in an email from a friend. You might have clicked a post in Facebook, Twitter, Pinterest or Instagram (I'm not sure any of my pictures are worthy of the latter two, but I suppose it's possible). Maybe this blog is syndicated to your RSS feed. Or maybe you typed the URL into your web browser directly or used a bookmark.

Regardless of the source, your browser did not just yell out on the Internet, "show me the Security for Real People blog." Instead, it referred to a DNS, a network phone book of sorts, to translate the human-readable web site name or URL into an address it could travel to.

Computers use a network protocol to communicate with one another; on modern devices this is typically IP, or Internet Protocol. DNS is how your computer knows that is actually “” (or was at the time of this writing). It happens silently in the background and is usually ignored unless it stops working. The typical DNS will give a valid answer for any web site. Whether the web site is Google, Disney, Phil's Phony Pharmacy or Ingrid's Illicit Images, an ordinary DNS will respond with the correct address for that site. If in fact you want to go to Phil's Phony Pharmacy or Ingrid's Illicit Images, that is a good thing.

In my line of work I often do want to visit a phony or malicious web site. When I am researching a botnet or a phishing scam, sometimes it helps to see what it does, to access the websites that it accesses - but I do so from a virtual machine in a protected research environment so I can avoid infecting other computers on my network. For the majority of my network I use an alternate DNS that blocks many of the undesirable web sites.

You can do this too - and it is one of the few "set it and forget it" protections that is both easy and actually effective.

There are a variety of free* DNS services that simply don’t resolve website addresses that go to known “adult” or malicious content. More accurately, they resolve such websites to a benign address that warns you about the nature of the site. In my experience this is one of the strongest additions you can make to the security of your home or small business network. Below are several that I have used or looked at; with the exception of K9 Web Protection, they work essentially the same: you either modify the network settings on your computer / device, or you modify the network settings on your router or Internet gateway. It's not as hard as it sounds.

Protecting a single Windows PC

If your computer connects directly to your Internet modem or if you are on a network you do not trust, you can change the DNS setting directly on your device. For Windows 7 and newer PCs, open your Start Menu or search bar and type in "Network and Sharing Center."

Click "Change adapter settings" and select the network connection you are using. In most cases it will either be "Local Area Connection" or "Wireless Network Connection."

From the connection properties window, click "Internet Protocol Version 4 (TCP/IPv4)" and click Properties. Instead of "Obtain DNS server address automatically," select "Use the following DNS server addresses" and type in the addresses for the service you prefer (for example, for Norton ConnectSafe Security + Pornography).

Protecting a single mobile device

Android devices have a similar feature. On Android you would open the settings panel and select the Wi-Fi option. Click on the wireless network you are using, then click Show advanced options.

Under IP settings, select Static instead of DHCP. You will then see additional settings you can enter. The only ones that matter are DNS 1 and DNS 2.

After entering your preferred DNS servers, change "IP settings" back to DHCP so your device will connect properly to the local network - the DNS settings you entered remain in effect even though the settings are no longer visible. For iPhone and iPad devices the screens look a bit different but the process is identical.

Keep in mind that this is only effective when you are on a wireless network and not on a cellular (3G, 4G, LTE) data connection. There are some apps that will let you control the DNS settings for cellular data, but only on rooted or jailbroken devices.

Protecting the entire home or small business network

This works for individual computers (and is useful if you travel and don't want to trust the DNS servers specified by your hotel / airport / Starbucks). In most homes and businesses you will have a router or wireless access point connected to your Internet modem. In that case, it can be easier to make this change once on the router, instead of on each individual device.

Each router is a little different, but all will have an option to configure DHCP (Dynamic Host Configuration Protocol - essentially your computer says "where am I?" and the router or gateway replies with network information). On my router, this setting is found by logging into the administrative console and selecting "LAN" under Advanced Settings. From there the DNS setting is identical to a PC or mobile device: just enter the numeric address of the DNS server you wish to use.

One aside: with DHCP, the network router gives configuration information to the devices on the network - but the owners of those devices can still override the settings. If you are familiar with Linux and iptables, it is relatively simple to add a firewall rule that allows DNS packets only to your preferred DNS server, and blocks attempts to circumvent your DNS protection:

iptables -I FORWARD -p udp --dport 53 -j DROP
iptables -I FORWARD -d [ DNSIP ] -p udp --dport 53 -j ACCEPT

Replace [ DNSIP ] with the IP address or network range of your preferred DNS provider; any DNS requests sent elsewhere will simply be blocked.

A few DNS options

Website filtering (whether via DNS or a software agent such as K9 Web Protection) is only as good as the filtering list. The services below have built a fairly good reputation for quickly updating their filters, but there is still a period of time between when a new malicious link is created, and when it is added to block lists. DNS filtering is extremely effective, but it won't stop every single piece of badness. It's one layer in the security stack.

  • Norton ConnectSafe is perhaps the simplest option. You just change the DNS setting in your network configuration to point to one of three addresses. The first option ("Security") blocks sites known to host malicious software, phishing attacks, and scams. The second ("Security + Pornography") blocks all of these along with pornography. The third ("Security + Pornography + Other") blocks all of the above, along with mature content, abortion, alcohol, crime, cults, drugs, gambling, hate, sexual orientation, suicide, tobacco or violence.

    The catch is, you get to choose among the three options Norton provides, but have no way to fine-tune things to suit your personal preferences.

  • OpenDNS Family Shield is my personal favorite. It is slightly more involved, but far more customizable. With OpenDNS you create an account, with which you can select specific categories to block. In addition to the standard malicious content filter, there are about 60 other categories, ranging from nudity to gambling, dating to employment and job-seeker sites. Depending on your personal and household preferences, there is quite a bit of fine-tuning available.

    A side note: OpenDNS was recently acquired by Cisco, maker of network equipment used by many of the biggest companies in the world. I've received feedback from some readers turned off by allegations that Cisco equipment has been used in NSA spying activities. To be frank, I write primarily for "the 99%." For most people, routine malware, weak passwords, and phishing are a far greater risk than a nation-state adversary.

  • BlueCoat, a maker of highly-regarded enterprise web filtering appliances, takes a different approach in its free K9 Web Protection product. With K9 Web Protection, you install a program or "agent" on your computer or device, then select the categories you would like to block. K9 has the added advantages of time-based controls (block Internet browsing during late night hours, for example), and tamper-resistance. It is more difficult for a savvy teen (again for example) to bypass the K9 agent than for the same teen to change their DNS resolver back to one that resolves undesired web sites.

    In my experience however the K9 agent had a tendency to fail, and would default to blocking all Internet traffic. Let's just say the wife found this highly annoying.

  • Dyn Internet Guide is one I have not used personally, but it appears to work very similarly to OpenDNS Family Shield. You create an account, adjust filtering categories to suit your preferences, and change your DNS settings to use their servers.

  • Secure DNS by Comodo is another option, very similar to Norton ConnectSafe in that it is a one-size-fits all, set it and forget it option. It too is one I have no personal experience with, but it is recommended by people I trust.

* There's always fine print. Most of the "free" options specify "free for personal use only." If you run a small business from your home, I'm not going to tell you when you cross the line from personal to commercial use (there are lawyers for that). I will tell you that several of these DNS providers offer commercial solutions for fees ranging from reasonable to eye-popping.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at), or hit me up on Twitter at @dnlongen